开发者

cleaning $_POST variables [duplicate]

This question already has answers here: Do htmlspecialchars and mysql_real_escape_string keep my PHP code safe from injection? (6 answers) Closed 8 years ago.

I'm trying 开发者_如何学Pythonto come up with a way to effectively easily clean all POST and GET variables with a single function. Here's the function itself:

//clean the user's input
function cleanInput($value, $link = '')
{
    //if the variable is an array, recurse into it
    if(is_array($value))
    {
        //for each element in the array...
        foreach($value as $key => $val)
        {
            //...clean the content of each variable in the array
            $value[$key] = cleanInput($val);
        }

        //return clean array
        return $value;
    }
    else
    {
        return mysql_real_escape_string(strip_tags(trim($value)), $link);
    }
}

And here's the code that would call it:

//This stops SQL Injection in POST vars
foreach ($_POST as $key => $value)
{
    $_POST[$key] = cleanInput($value, $link);
}

//This stops SQL Injection in GET vars
foreach ($_GET as $key => $value)
{
    $_GET[$key] = cleanInput($value, $link);
}

To me this seems like it should work. But for some reason it won't return arrays from some checkboxes I have in a form. They keep coming out blank.

I've tested my code without the above function and it works fine, I just want that added bit of security in there.

Thanks!


Use filter_input if possible (php5 +) It keeps it a lot cleaner and as far as im aware you can sanitise and validate everything you could need using it.

You can use filter var array and for example FILTER_SANITIZE_STRING flag to filter the whole post array

filter_var_array($_POST, FILTER_SANITIZE_STRING) //just an example filter

There are loads of different filter options available on the w3schools filter reference


What you're doing isn't enough. See here.


to make the recursion more elegant you could use something like array_map for example:

$_POST = array_map('mysql_real_escape_string',$_POST);

Use filter var if you can though as these kind of approaches are generally bad, just an example though ;)


unchecked checkboxes are not sent to the server.

you may use array_walk_recursive to do what you want


This is the wrong way to go about cleaning input.

Applying blanket mysql escaping to absolutely everything in $_POST and $_GET is going to come back and bite you, if you still want to use the data after you've made a database query but you don't want the escape characters in there.

Use parameterised queries with mysqli or PDO and you will never need to use mysql_real_escape_string().

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜